Tertiary Menu

Facebook tracks users even when they're logged out, and without telling them

A blog (from "web blog") is a discussion or informational site consisting of discrete entries ("posts") typically displayed newest first. All Corrente posts are front-paged; there is no up-rate or down-rate process. Corrente posts are almost entirely community moderated. We encourage a clash of ideas, and do not encourage a clash of persons.

If you are the author of this post, see the Edit tab ad Help (and Advanced Help) for detailed documentation.

Primary tabs

[Welcome, Harvard and Montana FaceBook users. (Yes, I checked my SiteMeter log, and no, I don't track the records. But then, I'm not a humongous corporation trying to model you and your social network, and resell and repackage the results to, well, whoever, and store the information indefinitely, without giving you the opportunity to purge it. Of course, I'm sure you've never gone anywhere online that you wouldn't be totally OK discussing in a job interview, say. I know I haven't.*)]

Facebook has confirmed findings of a CA security researcher that the social-networking site's Beacon ad service is more intrusive and stealthy than previously acknowledged, an admission that contradicts statements made previously by Facebook executives and representatives.

Stefan Berteau, senior research engineer at CA's Threat Research Group, wrote in a note about Beacon's until-then unknown ability to monitor logged-off users' activities and send the data back to Facebook.

Users aren't informed that data on their activities at these sites is flowing back to Facebook, nor given the option to block that information from being transmitted, according to Berteau.

If users have ever checked the option for Facebook to "remember me"-- which saves users from having to log on to the site upon every return to it-- Facebook can tie their activities on third-party Beacon sites directly to them, even if they're logged off and have opted out of the broadcast. If they have never chosen this option, the information still flows back to Facebook, although without it being tied to their Facebook ID, according to Berteau.

Facebook's admission over the weekend contradicts previous statements from the company regarding this issue. For example, in e-mail correspondence with Facebook's privacy department, Berteau was told, among other things, that "as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook."

A similar statement was made by a high-ranking Facebook official in an interview with The New York Times published Thursday.

"If I buy tickets on Fandango, and decline to publish the purchase to my friends on Facebook, does Facebook still receive the information about my purchase?," a Times reporter asked Chamath Palihapitiya, Facebook's vice president of product marketing and operations at Facebook

"Absolutely not. One of the things we are still trying to do is dispel a lot of misinformation that is being propagated unnecessarily," Palihapitiya replied.

Well, it's all very simple.

"Absolutely not" means "Yes, definitely!"

I always knew I hated that candy-assed Web 2.0 shit; their extreme hipness disguises their extreme willingness to sell anything about me to anyone and anybody without thinking twice or even letting me know. Heck, they'd sell their own grandmothers into a brothel, if they could resell her data.

NOTE * Without even giving you a cut for the sale of your own data, for pity's sake. I mean, the least they could do is tip decently, eh?

UPDATE Please note that this story broke after FaceBook placed limits on Beacon after users protested; this is new.

i couldn't keep up, even if i tried, with all the "program/device/service X is more intrusive and stealthy than they first admitted" i have heard in the past few years. let alone take measures that would actually secure my data.

i just assume that anyone dedicated enough can read everything i've ever saved on a computer whenever i'm on the intertubes. privacy is a great idea, but one i don't see coming back for at least a while. there isn't yet a critical mass large enough to enforce it according to the reality of today's technology.

Having been caught up in the AT&T Southwest Region DSL Outage all night I am about to do that bow down and admit-I-am-powerless-against-my-addition routine in re: online access. Absolutely no alternative for DSL out here in the sticks where we only have copperline phone service because the FDR era rules mandate universal service. With circa 4 residents per square mile or so, and not all of them interested in the service, I don't expect WiFi to come charging in any time soon. :)

Wonder who gets the info after Facebook and their advertisers? Actually the gov't probably gets the info first from Facebook. After all, corporations and gov't are merely quid-pro-quo whorehouses sold to the highest bidder. When the gov't needs illegal wire-taps, Verizon and Sprint allow them secret rooms to listen in on calls. When Haliburton (and KBR) need more revenue, the gov't hands out no-bid contracts. When the gov't dislikes literature, Amazon and Wikipedia ban the America Deceived (book) . We The People had our gov't sold out from beneath us.

We. Are. Going. To. Die. We must restore hope in the world. We must bring forth a new way of living that can sustain the world. Or else it is not just us who will die but everyone. What have we got to lose? Go forth and Fight!—Xan

It's not just Facebook, don't you realise that it is MySpace, bebo, tagged, etc as well as facebook. No matter how strong of security certificates you have on the internet. People can and will access you information.

We. Are. Going. To. Die. We must restore hope in the world. We must bring forth a new way of living that can sustain the world. Or else it is not just us who will die but everyone. What have we got to lose? Go forth and Fight!—Xan

You would have one computer that you use for all this crappy, trendy, allegedly "hip" garbage like myspace.com and facebook.com, et al, or any other sites/internet companies that have a reputation for installing/using spybots/ware against, or directly spying upon, their users. You would then NEVER use this first computer for general internet browsing, or anything else you don't want to get back to Facebook, etc.

Your OTHER computer would be used ONLY for your general web surfing (clear your cookies and cache ALOT!). You can anonymize your web surfing using the software available at the following sites:

Install Firefox FIRST (set it to clear all user tracks, cookies, etc, automatically every time the browser is closed), then Tor (The Onion Router, torproject.org), second. Tor uses a distributed network with onion routing to conceal your IP address when browsing the internet. Lastly, but most importantly, install NoScript. NoScript eliminates the activity of JavaScript, and many other scripts that can bypass Tor and reveal your real IP address! There are also ways you can use Tor to creatively foil spying scripts by having Tor establish a new network path, and thus new pseudo-identity, for you every few minutes, or between use of different Firefox windows.

You would then - and this is crucial - be very careful not to mix up the usage of your two computers!

You would do things like online banking, for example, ONLY on the second of these computers, but ONLY after thoroughly erasing your cookies AND browser cache! When you're done with your online banking, you would then clear your cookies and cache again before doing any general anonymous web surfing.

If you can afford only one internet connection, you have the added inconvenience of physically moving the connection back and forth between the two computers, but for the sake of PRIVACY (which when lost, these days, can often never be recovered), this added inconvenience is well worth it.

Use PGP (Pretty Good Privacy) also!

If you're really serious about protecting your privacy, understand that no plan to protect it is foolproof, but there are things you can do to GREATLY increase your privacy, if you just think, be creative, and use technology that is out there and available for your use.

It's important that you think very carefully about, and watch, what you're doing online if privacy is important to you.

Be aware, that there are many other sites besides Facebook that can threaten your privacy. You should keep in mind that any web site, especially obviously commercial ones, may become less than completely trustworthy at any time.

You can also use your firewall.. you ARE using a firewall, aren't you?!

You can also use your firewall program (or hardware firewall, or NAT router) to block, or disable Microsoft Internet Explorer and Outlook Express.

If like me, you're so stupid as to be using MS Windows at all - rather than Linux, or Mac - you should also definitely TURN OFF Instant Messenger, and use your firewall program to BLOCK as many Microsoft network access programs as you can without completely disabling all network access as such. Just block Internet Explorer and Outlook Express only, unless you know more about what you're doing.

I've read about Tor, and even posted on it, but doesn't Tor have a security flaw, in that somebody can sit at the endpoint where Tor connects back to the regular Internet, and sniff packets there? (If I have the terms of art right.) Is there a solution for that?)

We. Are. Going. To. Die. We must restore hope in the world. We must bring forth a new way of living that can sustain the world. Or else it is not just us who will die but everyone. What have we got to lose? Go forth and Fight!—Xan

Yes, the last computers in the TOR network that interface the real world can sniff all in going and outcoming packets. The way you can break TOR security is by also having enough malicious TOR users who are scattered throughout, so you may not know where a packet is going, but since three of your neighbor connections are spies, they can figure out where those packets ended up.

By they way for any PGP advocates, you would soon be labeled a homegrown terrist. Just FYI, military grade encryption is immediate grounds for snooping into what you are up to.

The "last computers in the TOR network", likely referring to exit nodes, can only sniff unencrypted traffic. If you are doing something that requires privacy and authenticity, browse to https sites (and turn off SSLv2 support in your browser; SSLv3 and TLS are ok).

Malicious Tor *users* (clients) cannot do anything to you. Perhaps you refer to Tor relay node operators. Even if all of your neighbours are spies, your own computer's Tor proxy ensures that your traffic is encrypted and onion-routed through 3 or more nodes on the way to its destination. Your neighbours cannot see where you are browsing.

Someone like the NSA which intercepts traffic at major ISP crossovers could do analysis of timing to track your traffic, assuming they cared to do so. The more people join up and use Tor, the harder this becomes.

Summer is here so PLEASE help lambert...

... who still needs buy seeds and soil, especially since "Winter is coming," and pay the bills so he can feed the hamsters that power the wheels that turn the servers at The Mighty Corrente Building. Please, won't you help keep the hamsters shiny and well-fed?

No PayPal Account required! Give the hamsters immediate relief!

Or Subscribe to make a monthly payment!

Corrente is completely supported by contributions from readers (and, to be fair, a tiny smidge of Powell's commissions). We do not take advertising, so we can say whatever the Fuck we want. Thank you!

Citibank Plutonomy files

"What could go wrong?
Beyond war, inflation, the end of the technology/productivity wave, and financial collapse, we think the most potent and short-term threat would be societies demanding a more ‘equitable’ share of wealth."

Corrente Fellows (emeritus)

Nothing within this site or linked to by this site constitutes investment (snort) advice, or legal advice, or medical advice, or any kind of advice. BANKSTER WEASEL PROPHYLACTIC: The word "alleged" is deemed to occur before the word "fraud." Since the rule of law still applies. To peasants, at least.